Icinga monitoring software reports and patches critical flaw
Take action: If you are running Icinga monitoring software, update to the latest patched version ASAP. If you can't update immediately, isolate the API port to be only accessible from trusted networks. This is not a long term solution, so better patch soon.
Learn More
Icinga is reporting a critical security vulnerability in their monitoring software that affects the certificate validation mechanism for JSON-RPC and HTTP API connections.
The vulnerability is tracked as CVE-2024-49369 (CVSS score 9.8) and impacts all Icinga 2 versions from 2.4.0 onwards.
The vulnerability allows attackers to bypass TLS certificate validation, impersonate trusted cluster nodes or API users using TLS client certificates for authentication. The flaw enables attackers to potentially inject malicious configuration updates, execute unauthorized commands if certain configuration attributes are enabled or access potentially sensitive information.
The following patched versions fix the issue:
- v2.14.3
- v2.13.10
- v2.12.11
- v2.11.12
The vulnerability has been patched across multiple platforms, including major Linux distributions, Windows Server environments, and container deployments. Updated packages are available for multiple environments including Amazon Linux, CentOS, Debian, Ubuntu, Red Hat Enterprise Linux, SUSE Linux Enterprise Server, and Windows Server installations (2012 and later).
For users that can't patch immediately, there is no complete workaround for this vulnerability. Oganizations can temporarily reduce their attack surface by implementing firewall rules to restrict access to the Icinga 2 API port to trusted addresses only.
